From: "Steve Sakoman" <steve@sakoman.com>
To: Mike Crowe <yocto@mac.mcrowe.com>
Cc: Patches and discussions about the oe-core layer
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [dunfell][PATCH] curl: Fix CVE-2021-22924 and CVE-2021-22925
Date: Wed, 4 Aug 2021 07:29:18 -1000 [thread overview]
Message-ID: <CAOSpxdaatsBUV65JoM3nxVvZqVD3hPFjQV0V4QZvO5OtyoRL5w@mail.gmail.com> (raw)
In-Reply-To: <20210804170619.GA23238@mcrowe.com>
On Wed, Aug 4, 2021 at 7:06 AM Mike Crowe <yocto@mac.mcrowe.com> wrote:
>
> On Wednesday 04 August 2021 at 06:44:51 -1000, Steve Sakoman wrote:
> > On Tue, Aug 3, 2021 at 10:11 PM Mike Crowe via lists.openembedded.org
> > <yocto=mac.mcrowe.com@lists.openembedded.org> wrote:
> > >
> > > curl v7.78 contained fixes for five CVEs:
> > >
> > > CVE-2021-22922 and CVE-2021-22923 are only present when support for
> > > metalink is enabled. EXTRA_OECONF contains "--without-libmetalink" so
> > > these fixes are unnecessary.
> > >
> > > CVE-2021-22926 only affects builds for MacOS.
> > >
> > > CVE-2021-22924 and CVE-2021-22925 are both applicable. Take the patches
> > > from Ubuntu 20.04 curl_7.68.0-1ubuntu2.6 package which is close enough
> > > that the patch for CVE-2021-22924 applies without conflicts. The
> > > CVE-2021-22925 patch required only a small tweak to apply.
> >
> > Being curious why none of these are showing up in the reports I
> > checked the CPE database and it seems none of them are present! So
> > that explains why.
> >
> > Do you know why they are missing? Perhaps a status of RESERVED? See:
> >
> > https://nvd.nist.gov/vuln/detail/CVE-2021-22923
>
> I'm afraid that I have no idea. :( I just watch curl release announcements
> to assess the security impact on our products and spotted these.
>
> > Since they seem to be real issues though I can take the patch once you
> > send a V2 with the issue below fixed.
>
> > [ Need to have a CVE tag and your signed-off-by in both patch files. ]
>
> v2 should have arrived. I must have sneaked my previous CVE fixes through
> without them somehow. :)
My bad then :-) I'm trying to be better about making sure that we
have the tag, status, and sign-off-by in the CVE patches!
Steve
>
> > It might make sense to whitelist the CVE's that don't apply to us so
> > that once the entries hit the database we will already have dealt with
> > them.
>
> Hopefully done.
>
> Thanks.
>
> Mike.
prev parent reply other threads:[~2021-08-04 17:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-04 8:10 [dunfell][PATCH] curl: Fix CVE-2021-22924 and CVE-2021-22925 Mike Crowe
2021-08-04 16:44 ` [OE-core] " Steve Sakoman
2021-08-04 17:06 ` Mike Crowe
2021-08-04 17:29 ` Steve Sakoman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOSpxdaatsBUV65JoM3nxVvZqVD3hPFjQV0V4QZvO5OtyoRL5w@mail.gmail.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=yocto@mac.mcrowe.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.